Fix SELinux Mode Detection on No SELinux-Related Boot Params in Azure Linux 3.0+ (#717)

Since the SELinux LSM is loaded by default on Azure Linux 3.0+, when an
image has no SELinux-related arguments specific on the kernel command
line, it is expected that Image Customizer would read the SELinux config
to determine the mode.

Instead, it treats this state as disabled, causing a cascade of
failures, e.g. if any customizations are made that would require
`setfiles` to be run.

This PR is a targeted fix for Azure Linux 3.0+ that accounts for the
SELinux LSM being loaded. Behavior for other distributions and versions
are unchanged, except Fedora, which we do not fully support, as it is
expected that Fedora shares the same behavior of Azure Linux 4.0, which
mirrors Fedora closely.

Note: This fix was discovered because Azure Linux 4.0 ships with SELinux
enforced but without any SELinux-related arguments, leading to issues
with testing.

Validated with new tests:

- TestBootCustomizerSELinuxMode40 (test data matches files shipped in
Azure Linux 4.0 Alpha 2)
- TestGetSELinuxModeFromLinuxArgs_AllCombinations

Author: vinceaperri

toolkit/tools/pkg/imagecustomizerlib/bootcustomizer.go

@@ -197,7 +197,7 @@ func (b *BootCustomizer) getSELinuxModeFromCmdline(buildDir string, imageChroot
 	}
 
 	// Get the SELinux mode from the kernel command-line args.
-	selinuxMode, err := getSELinuxModeFromLinuxArgs(args)
+	selinuxMode, err := b.distroHandler.GetSELinuxModeFromLinuxArgs(args)
 	if err != nil {
 		return imagecustomizerapi.SELinuxModeDefault, false, err
 	}

toolkit/tools/pkg/imagecustomizerlib/bootcustomizer_test.go

@@ -20,6 +20,9 @@ const (
 
 	sampleGrubCfg30Path     = "bootcfgtests/3.0-grub.cfg"
 	sampleDefaultGrub30Path = "bootcfgtests/3.0-default-grub"
+
+	sampleGrubCfg40Path     = "bootcfgtests/4.0-grub.cfg"
+	sampleDefaultGrub40Path = "bootcfgtests/4.0-default-grub"
 )
 
 func TestBootCustomizerAddKernelCommandLine20(t *testing.T) {
@@ -106,7 +109,7 @@ func TestBootCustomizerSELinuxMode30(t *testing.T) {
 	selinuxMode, found, err := b.getSELinuxModeFromCmdline("", nil)
 	assert.NoError(t, err)
 	assert.True(t, found)
-	assert.Equal(t, imagecustomizerapi.SELinuxModeDisabled, selinuxMode)
+	assert.Equal(t, imagecustomizerapi.SELinuxModeDefault, selinuxMode)
 
 	err = b.UpdateSELinuxCommandLine(imagecustomizerapi.SELinuxModePermissive)
 	assert.NoError(t, err)
@@ -154,6 +157,61 @@ func TestBootCustomizerSELinuxMode30(t *testing.T) {
 	checkDiffs30(t, b, "", expectedDefaultGrubFileDiff)
 }
 
+func TestBootCustomizerSELinuxMode40(t *testing.T) {
+	// AZL4 only has GRUB_CMDLINE_LINUX_DEFAULT (no GRUB_CMDLINE_LINUX).
+	// SELinux args should be added to a new GRUB_CMDLINE_LINUX variable.
+	b := createBootCustomizerFor40(t)
+
+	// AZL4 has no SELinux kernel args at all. The mode should be Default (defer to /etc/selinux/config),
+	// not Disabled.
+	selinuxMode, found, err := b.getSELinuxModeFromCmdline("", nil)
+	assert.NoError(t, err)
+	assert.True(t, found)
+	assert.Equal(t, imagecustomizerapi.SELinuxModeDefault, selinuxMode)
+
+	err = b.UpdateSELinuxCommandLine(imagecustomizerapi.SELinuxModeDisabled)
+	assert.NoError(t, err)
+
+	// Explicit selinux=0 must read back as Disabled (not Default).
+	selinuxMode, found, err = b.getSELinuxModeFromCmdline("", nil)
+	assert.NoError(t, err)
+	assert.True(t, found)
+	assert.Equal(t, imagecustomizerapi.SELinuxModeDisabled, selinuxMode)
+
+	expectedDefaultGrubFileDiff := `7a8
+> GRUB_CMDLINE_LINUX=" selinux=0 "
+`
+	checkDiffs40(t, b, "", expectedDefaultGrubFileDiff)
+
+	err = b.UpdateSELinuxCommandLine(imagecustomizerapi.SELinuxModePermissive)
+	assert.NoError(t, err)
+
+	// "security=selinux selinux=1" without enforcing=1 means the kernel defers to /etc/selinux/config.
+	selinuxMode, found, err = b.getSELinuxModeFromCmdline("", nil)
+	assert.NoError(t, err)
+	assert.True(t, found)
+	assert.Equal(t, imagecustomizerapi.SELinuxModeDefault, selinuxMode)
+
+	expectedDefaultGrubFileDiff = `7a8
+> GRUB_CMDLINE_LINUX=" security=selinux selinux=1 "
+`
+	checkDiffs40(t, b, "", expectedDefaultGrubFileDiff)
+
+	err = b.UpdateSELinuxCommandLine(imagecustomizerapi.SELinuxModeForceEnforcing)
+	assert.NoError(t, err)
+
+	// enforcing=1 alongside the security/selinux pair locks the mode to enforcing.
+	selinuxMode, found, err = b.getSELinuxModeFromCmdline("", nil)
+	assert.NoError(t, err)
+	assert.True(t, found)
+	assert.Equal(t, imagecustomizerapi.SELinuxModeForceEnforcing, selinuxMode)
+
+	expectedDefaultGrubFileDiff = `7a8
+> GRUB_CMDLINE_LINUX="  security=selinux selinux=1 enforcing=1 "
+`
+	checkDiffs40(t, b, "", expectedDefaultGrubFileDiff)
+}
+
 func TestBootCustomizerVerity20(t *testing.T) {
 	b := createBootCustomizerFor20(t)
 
@@ -191,6 +249,11 @@ func checkDiffs30(t *testing.T, b *BootCustomizer, expectedGrubCfgDiff string, e
 		expectedGrubCfgDiff, expectedDefaultGrubFileDiff)
 }
 
+func checkDiffs40(t *testing.T, b *BootCustomizer, expectedGrubCfgDiff string, expectedDefaultGrubFileDiff string) {
+	checkDiffs(t, b, filepath.Join(testDir, sampleGrubCfg40Path), filepath.Join(testDir, sampleDefaultGrub40Path),
+		expectedGrubCfgDiff, expectedDefaultGrubFileDiff)
+}
+
 func checkDiffs(t *testing.T, b *BootCustomizer, originalGrubCfgPath string, originalDefaultGrubFilePath string,
 	expectedGrubCfgDiff string, expectedDefaultGrubFileDiff string,
 ) {
@@ -214,15 +277,21 @@ func calcDiff(t *testing.T, oldPath string, newContent string) string {
 
 func createBootCustomizerFor20(t *testing.T) *BootCustomizer {
 	return createBootCustomizer(t, filepath.Join(testDir, sampleGrubCfg20Path),
-		filepath.Join(testDir, sampleDefaultGrub20Path), false)
+		filepath.Join(testDir, sampleDefaultGrub20Path), false, newAzureLinuxDistroHandler("2.0"))
 }
 
 func createBootCustomizerFor30(t *testing.T) *BootCustomizer {
 	return createBootCustomizer(t, filepath.Join(testDir, sampleGrubCfg30Path),
-		filepath.Join(testDir, sampleDefaultGrub30Path), true)
+		filepath.Join(testDir, sampleDefaultGrub30Path), true, newAzureLinuxDistroHandler("3.0"))
+}
+
+func createBootCustomizerFor40(t *testing.T) *BootCustomizer {
+	return createBootCustomizer(t, filepath.Join(testDir, sampleGrubCfg40Path),
+		filepath.Join(testDir, sampleDefaultGrub40Path), true, newAzureLinuxDistroHandler("4.0"))
 }
 
 func createBootCustomizer(t *testing.T, sampleGrubCfgPath string, sampleDefaultGrubFilePath string, isGrubMkconfig bool,
+	distroHandler DistroHandler,
 ) *BootCustomizer {
 	sampleGrubCfgContent, err := os.ReadFile(sampleGrubCfgPath)
 	assert.NoError(t, err, "failed to read sample grub.cfg file")
@@ -239,6 +308,7 @@ func createBootCustomizer(t *testing.T, sampleGrubCfgPath string, sampleDefaultG
 		grubCfgContent:         string(sampleGrubCfgContent),
 		defaultGrubFileContent: string(sampleDefaultGrubFileContent),
 		bootConfigType:         bootConfigType,
+		distroHandler:          distroHandler,
 	}
 	return b
 }

toolkit/tools/pkg/imagecustomizerlib/distrohandler.go

@@ -58,6 +58,11 @@ type DistroHandler interface {
 	// Reports whether SELinux configuration is supported by the tool for this distro.
 	SELinuxSupported() bool
 
+	// GetSELinuxModeFromLinuxArgs interprets parsed kernel command-line args and returns the effective SELinux mode
+	// the kernel will boot with. Returns SELinuxModeDefault to indicate the caller should fall back to reading
+	// /etc/selinux/config.
+	GetSELinuxModeFromLinuxArgs(args []grubConfigLinuxArg) (imagecustomizerapi.SELinuxMode, error)
+
 	// ReadGrub2ConfigFile reads the distro-appropriate grub.cfg file from the chroot.
 	ReadGrub2ConfigFile(imageChroot safechroot.ChrootInterface) (string, error)
 

toolkit/tools/pkg/imagecustomizerlib/distrohandler_acl.go

@@ -82,6 +82,11 @@ func (d *aclDistroHandler) SELinuxSupported() bool {
 	return true
 }
 
+func (d *aclDistroHandler) GetSELinuxModeFromLinuxArgs(args []grubConfigLinuxArg,
+) (imagecustomizerapi.SELinuxMode, error) {
+	return getSELinuxModeFromLinuxArgs(args)
+}
+
 func (d *aclDistroHandler) ReadGrub2ConfigFile(imageChroot safechroot.ChrootInterface) (string, error) {
 	// ACL does not use GRUB. Return empty string with ErrNotExist so callers
 	// that tolerate a missing grub.cfg can proceed without error.

toolkit/tools/pkg/imagecustomizerlib/distrohandler_azurelinux.go

@@ -103,6 +103,15 @@ func (d *azureLinuxDistroHandler) SELinuxSupported() bool {
 	return true
 }
 
+func (d *azureLinuxDistroHandler) GetSELinuxModeFromLinuxArgs(args []grubConfigLinuxArg,
+) (imagecustomizerapi.SELinuxMode, error) {
+	if d.version == "2.0" {
+		return getSELinuxModeFromLinuxArgs(args)
+	}
+
+	return getSELinuxModeFromLinuxArgsDeferIfMissing(args)
+}
+
 func (d *azureLinuxDistroHandler) ReadGrub2ConfigFile(imageChroot safechroot.ChrootInterface) (string, error) {
 	return readGrub2ConfigFile(imageChroot, installutils.FedoraGrubCfgFile)
 }

toolkit/tools/pkg/imagecustomizerlib/distrohandler_fedora.go

@@ -95,6 +95,11 @@ func (d *fedoraDistroHandler) SELinuxSupported() bool {
 	return true
 }
 
+func (d *fedoraDistroHandler) GetSELinuxModeFromLinuxArgs(args []grubConfigLinuxArg,
+) (imagecustomizerapi.SELinuxMode, error) {
+	return getSELinuxModeFromLinuxArgsDeferIfMissing(args)
+}
+
 func (d *fedoraDistroHandler) ReadGrub2ConfigFile(imageChroot safechroot.ChrootInterface) (string, error) {
 	return readGrub2ConfigFile(imageChroot, installutils.FedoraGrubCfgFile)
 }

toolkit/tools/pkg/imagecustomizerlib/distrohandler_ubuntu.go

@@ -116,6 +116,11 @@ func (d *ubuntuDistroHandler) SELinuxSupported() bool {
 	return false
 }
 
+func (d *ubuntuDistroHandler) GetSELinuxModeFromLinuxArgs(args []grubConfigLinuxArg,
+) (imagecustomizerapi.SELinuxMode, error) {
+	return getSELinuxModeFromLinuxArgs(args)
+}
+
 func (d *ubuntuDistroHandler) ReadGrub2ConfigFile(imageChroot safechroot.ChrootInterface) (string, error) {
 	return readGrub2ConfigFile(imageChroot, installutils.DebianGrubCfgFile)
 }

toolkit/tools/pkg/imagecustomizerlib/grubcfgutils.go

@@ -750,6 +750,22 @@ func getSELinuxModeFromLinuxArgs(args []grubConfigLinuxArg) (imagecustomizerapi.
 	return imagecustomizerapi.SELinuxModeDefault, nil
 }
 
+// getSELinuxModeFromLinuxArgsDeferIfMissing wraps getSELinuxModeFromLinuxArgs so that completely absent
+// SELinux cmdline args resolve to SELinuxModeDefault (defer to /etc/selinux/config) rather than SELinuxModeDisabled.
+// If any is present (e.g. security=apparmor, selinux=0, enforcing=1), the original Disabled result is preserved.
+func getSELinuxModeFromLinuxArgsDeferIfMissing(args []grubConfigLinuxArg) (imagecustomizerapi.SELinuxMode, error) {
+	mode, err := getSELinuxModeFromLinuxArgs(args)
+	if err != nil || mode != imagecustomizerapi.SELinuxModeDisabled {
+		return mode, err
+	}
+
+	if len(findMatchingCommandLineArgs(args, selinuxArgNames)) == 0 {
+		return imagecustomizerapi.SELinuxModeDefault, nil
+	}
+
+	return imagecustomizerapi.SELinuxModeDisabled, nil
+}
+
 // Gets the SELinux mode set by the /etc/selinux/config file.
 func getSELinuxModeFromConfigFile(imageChroot safechroot.ChrootInterface) (imagecustomizerapi.SELinuxMode, error) {
 	selinuxConfigFilePath := filepath.Join(imageChroot.RootDir(), installutils.SELinuxConfigFile)

toolkit/tools/pkg/imagecustomizerlib/grubcfgutils_test.go

@@ -0,0 +1,117 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package imagecustomizerlib
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/microsoft/azure-linux-image-tools/toolkit/tools/imagecustomizerapi"
+	"github.com/stretchr/testify/assert"
+)
+
+// selinuxArgState describes the state of a single SELinux-related kernel command-line arg.
+// If Present is false, the arg is not on the cmdline at all (Value is ignored).
+type selinuxArgState struct {
+	Present bool
+	Value   string
+}
+
+// TestGetSELinuxModeFromLinuxArgs_AllCombinations exhaustively covers the 3x3x3 = 27 combinations of
+// (security, selinux, enforcing) kernel command-line arg states.
+func TestGetSELinuxModeFromLinuxArgs_AllCombinations(t *testing.T) {
+	const (
+		Disabled       = imagecustomizerapi.SELinuxModeDisabled
+		Default        = imagecustomizerapi.SELinuxModeDefault
+		ForceEnforcing = imagecustomizerapi.SELinuxModeForceEnforcing
+	)
+
+	absent := selinuxArgState{Present: false}
+	present := func(v string) selinuxArgState { return selinuxArgState{Present: true, Value: v} }
+
+	testCases := []struct {
+		Name          string
+		Security      selinuxArgState
+		Selinux       selinuxArgState
+		Enforcing     selinuxArgState
+		ExpectedBase  imagecustomizerapi.SELinuxMode
+		ExpectedDefer imagecustomizerapi.SELinuxMode
+	}{
+		// security=absent
+		{"security=absent/selinux=absent/enforcing=absent", absent, absent, absent, Disabled, Default},
+		{"security=absent/selinux=absent/enforcing=0", absent, absent, present("0"), Disabled, Disabled},
+		{"security=absent/selinux=absent/enforcing=1", absent, absent, present("1"), Disabled, Disabled},
+		{"security=absent/selinux=0/enforcing=absent", absent, present("0"), absent, Disabled, Disabled},
+		{"security=absent/selinux=0/enforcing=0", absent, present("0"), present("0"), Disabled, Disabled},
+		{"security=absent/selinux=0/enforcing=1", absent, present("0"), present("1"), Disabled, Disabled},
+		{"security=absent/selinux=1/enforcing=absent", absent, present("1"), absent, Disabled, Disabled},
+		{"security=absent/selinux=1/enforcing=0", absent, present("1"), present("0"), Disabled, Disabled},
+		{"security=absent/selinux=1/enforcing=1", absent, present("1"), present("1"), Disabled, Disabled},
+
+		// security=selinux
+		{"security=selinux/selinux=absent/enforcing=absent", present("selinux"), absent, absent, Disabled, Disabled},
+		{"security=selinux/selinux=absent/enforcing=0", present("selinux"), absent, present("0"), Disabled, Disabled},
+		{"security=selinux/selinux=absent/enforcing=1", present("selinux"), absent, present("1"), Disabled, Disabled},
+		{"security=selinux/selinux=0/enforcing=absent", present("selinux"), present("0"), absent, Disabled, Disabled},
+		{"security=selinux/selinux=0/enforcing=0", present("selinux"), present("0"), present("0"), Disabled, Disabled},
+		{"security=selinux/selinux=0/enforcing=1", present("selinux"), present("0"), present("1"), Disabled, Disabled},
+		{"security=selinux/selinux=1/enforcing=absent", present("selinux"), present("1"), absent, Default, Default},
+		{"security=selinux/selinux=1/enforcing=0", present("selinux"), present("1"), present("0"), Default, Default},
+		{"security=selinux/selinux=1/enforcing=1", present("selinux"), present("1"), present("1"), ForceEnforcing, ForceEnforcing},
+
+		// security=apparmor
+		{"security=apparmor/selinux=absent/enforcing=absent", present("apparmor"), absent, absent, Disabled, Disabled},
+		{"security=apparmor/selinux=absent/enforcing=0", present("apparmor"), absent, present("0"), Disabled, Disabled},
+		{"security=apparmor/selinux=absent/enforcing=1", present("apparmor"), absent, present("1"), Disabled, Disabled},
+		{"security=apparmor/selinux=0/enforcing=absent", present("apparmor"), present("0"), absent, Disabled, Disabled},
+		{"security=apparmor/selinux=0/enforcing=0", present("apparmor"), present("0"), present("0"), Disabled, Disabled},
+		{"security=apparmor/selinux=0/enforcing=1", present("apparmor"), present("0"), present("1"), Disabled, Disabled},
+		{"security=apparmor/selinux=1/enforcing=absent", present("apparmor"), present("1"), absent, Disabled, Disabled},
+		{"security=apparmor/selinux=1/enforcing=0", present("apparmor"), present("1"), present("0"), Disabled, Disabled},
+		{"security=apparmor/selinux=1/enforcing=1", present("apparmor"), present("1"), present("1"), Disabled, Disabled},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.Name, func(t *testing.T) {
+			args := buildSELinuxArgs(tc.Security, tc.Selinux, tc.Enforcing)
+
+			gotBase, err := getSELinuxModeFromLinuxArgs(args)
+			assert.NoError(t, err, "getSELinuxModeFromLinuxArgs returned unexpected error")
+			assert.Equal(t, tc.ExpectedBase, gotBase, "getSELinuxModeFromLinuxArgs mismatch")
+
+			gotDefer, err := getSELinuxModeFromLinuxArgsDeferIfMissing(args)
+			assert.NoError(t, err, "getSELinuxModeFromLinuxArgsDeferIfMissing returned unexpected error")
+			assert.Equal(t, tc.ExpectedDefer, gotDefer, "getSELinuxModeFromLinuxArgsDeferIfMissing mismatch")
+		})
+	}
+}
+
+// buildSELinuxArgs constructs a synthetic []grubConfigLinuxArg that only populates the Name and Value fields
+// (which are the only fields read by getSELinuxModeFromLinuxArgs / findKernelCommandLineArgValue /
+// findMatchingCommandLineArgs). This avoids needing to round-trip through the grub tokenizer for unit tests.
+func buildSELinuxArgs(security, selinux, enforcing selinuxArgState) []grubConfigLinuxArg {
+	var args []grubConfigLinuxArg
+	if security.Present {
+		args = append(args, grubConfigLinuxArg{
+			Name:  "security",
+			Value: security.Value,
+			Arg:   fmt.Sprintf("security=%s", security.Value),
+		})
+	}
+	if selinux.Present {
+		args = append(args, grubConfigLinuxArg{
+			Name:  "selinux",
+			Value: selinux.Value,
+			Arg:   fmt.Sprintf("selinux=%s", selinux.Value),
+		})
+	}
+	if enforcing.Present {
+		args = append(args, grubConfigLinuxArg{
+			Name:  "enforcing",
+			Value: enforcing.Value,
+			Arg:   fmt.Sprintf("enforcing=%s", enforcing.Value),
+		})
+	}
+	return args
+}

toolkit/tools/pkg/imagecustomizerlib/testdata/bootcfgtests/4.0-default-grub

@@ -0,0 +1,7 @@
+GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0 rd.shell=0"
+GRUB_ENABLE_BLSCFG=true
+GRUB_GFXMODE=auto
+GRUB_TERMINAL_INPUT="console"
+GRUB_TERMINAL_OUTPUT="gfxterm"
+GRUB_TIMEOUT=0
+GRUB_DEFAULT=saved